# remove-Usercerrt.1.0
# - Loads all Users from AD with "Usercertificate"
# - removes Certificates
#
# Attn: Does not check certificate age etc. its a real "cleanup" skript
#
# Version 1.0 
#	erste triviale Version

$dc="SRV01"
$domain = "msxfaq.local"
$ADS_PROPERTY_CLEAR = 1 

Write-Host "----------------  remove-Usercerrt startet -----------------------"

# Search für all NEW objects in active directory
Write-Host " Preparing AD-Search"
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$dc/$domain")
#$objSearcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]"")
$objSearcher.PageSize = 1000
$objSearcher.Filter = "(&(UserCertificate=*))"

Write-Host " Searching ...."
$objSearcher.FindAll() | % {
	Write-Host "----- Processing Object: " $_.path
	#Write-Progress -Activity "Processing Users" -Status $_.adspath -PercentComplete ($count / $total *100);
	$adobject = $_.getDirectoryEntry()
	$adobject.UserCertificate.Clear()
	#$adobject.PutEx ($ADS_PROPERTY_CLEAR,"UserCertificate", 0
	$adobject.setinfo()
}
write-host 'DONE Processing'